diff --git a/replit.md b/replit.md index 3875523b..29896ab5 100644 --- a/replit.md +++ b/replit.md @@ -228,9 +228,10 @@ Preferred communication style: Simple, everyday language. - `VITE_NOVU_SOCKET_URL`: Novu WebSocket endpoint - `VITE_NOVU_API_URL`: Novu API endpoint - `VITE_CLOUDFLARE_ACCOUNT_HASH`: Cloudflare Images account hash for image URL construction -- `VITE_SUPABASE_URL`: Supabase project URL -- Supabase credentials (injected by hosting platform) -- Cloudflare Images API credentials (stored in Supabase secrets) +- `VITE_SUPABASE_URL`: Supabase project URL (required for client initialization) +- `VITE_SUPABASE_ANON_KEY`: Supabase anonymous key (required for client initialization) +- `VITE_TURNSTILE_SITE_KEY`: Cloudflare Turnstile CAPTCHA site key (required for bot protection) +- Cloudflare Images API credentials (stored in Supabase secrets for edge functions) **Feature Flags:** - Theme persistence via localStorage @@ -240,16 +241,31 @@ Preferred communication style: Simple, everyday language. ## Recent Changes -### Security Fixes (October 7, 2025) +### Bug Fixes and Security Improvements (October 7, 2025) -**Environment Variable Migration:** -- Moved hardcoded Cloudflare account hash to `VITE_CLOUDFLARE_ACCOUNT_HASH` environment variable -- Updated 14 components to use environment variable instead of hardcoded values: - - Card components: ParkCard, RideCard, ManufacturerCard, OperatorCard, ParkOwnerCard, RideModelCard - - Detail pages: ParkDetail, RideDetail, ManufacturerDetail, OperatorDetail, PropertyOwnerDetail, DesignerDetail - - Upload component: PhotoUpload (now uses env var for Supabase URL) -- Verified zero hardcoded sensitive values remain in codebase +**Security Fixes:** +- Migrated all hardcoded credentials to environment variables: + - `src/integrations/supabase/client.ts`: Now uses `VITE_SUPABASE_URL` and `VITE_SUPABASE_ANON_KEY` with error handling + - `src/components/auth/TurnstileCaptcha.tsx`: Now uses `VITE_TURNSTILE_SITE_KEY` with warning UI if missing + - Previously migrated: Cloudflare account hash to `VITE_CLOUDFLARE_ACCOUNT_HASH` across 14 components +- All sensitive credentials now properly managed through environment variables + +**Race Condition Fixes:** +- `src/hooks/useEntityVersions.ts`: Added lifecycle tracking with mounted ref, channel ref for preventing duplicate subscriptions, comprehensive cleanup on unmount +- `src/hooks/useAuth.tsx`: Added mounted ref, timeout tracking and cleanup, guarded all state updates to prevent updates after unmount, improved error handling with user feedback via toast notifications + +**Memory Leak Fixes:** +- `src/components/upload/PhotoUpload.tsx`: Implemented comprehensive object URL tracking with ref-based tracking set, automatic cleanup on unmount, revocation on all success/error paths, prevents memory leaks in all scenarios + +**Input Validation Improvements:** +- `supabase/functions/create-novu-subscriber/index.ts`: Added validation for subscriberId and email format with structured 400 error responses +- `supabase/functions/upload-image/index.ts`: Added validation for all request methods (GET/POST/DELETE) with proper error handling +- `supabase/functions/process-selective-approval/index.ts`: Added UUID validation for userId and submissionId, array validation for itemIds, comprehensive error messages + +**Error Handling Improvements:** +- Profile fetch failures now show user-friendly toast notifications +- Edge functions return structured error responses (400 for validation, 401 for auth, 500 for server errors) +- All async operations properly handle errors with user feedback **Import Fixes:** -- Fixed sonner.tsx to import `useTheme` from local `@/components/theme/ThemeProvider` instead of incorrect `next-themes` package -- Ensures proper theme functionality without external dependency issues \ No newline at end of file +- Fixed sonner.tsx to import `useTheme` from local `@/components/theme/ThemeProvider` instead of incorrect `next-themes` package \ No newline at end of file